6 Replies Latest reply: May 21, 2014 1:51 AM by Billy~Verreynne RSS

    scan access from external networks

    User511360-OC

      Hello. Inside our internal network our 11gR2 cluster works fine: we have corporate DNS and scan ip resolved OK. But we have number of clients from external networks (through vpn tunnels), that need access to Oracle DB too. Is it using of /etc/hosts with one scan ip on local workstation is the only solution ?

        • 1. Re: scan access from external networks
          J.A.

          Hi

          if your users are using a vpn, then can they reach the dns server ? so they can resolve the SCAN ?, for example I connect with VPN to another network and I am able to use the Scan on RACs.

           

          Or maybe you can use the VIP using TNS balanced connection from your clients:

          EXAMPLE =

          (DESCRIPTION =

          (ADDRESS_LIST=

          (ADDRESS= (PROTOCOL = TCP)(HOST = VIP-server1)(PORT = 1521))

          (ADDRESS= (PROTOCOL = TCP)(HOST = VIP-server2)(PORT = 1521))

          (ADDRESS= (PROTOCOL = TCP)(HOST = VIP-server3)(PORT = 1521))

          (FAILOVER = on)

          (LOAD_BALANCE = on)

          )

          (CONNECT_DATA=

          (SERVICE_NAME = acct.us.yourcompany.com)

          )

          )

           

          Regards

          • 2. Re: scan access from external networks
            Billy~Verreynne

            SCAN IP is simply the initial contact by client with cluster. This is not the IP on which the actual Oracle client-server connection to the database instance will be created.

             

            The initial client connection requests access to a service. The SCAN Listener, from its list of registered services, passes a hostname and port back to the client for creating a client-server connection for that requested service.

             

            Thus the client not only need access/connectivity to the SCAN IP - it also needs to be able to resolve the hostname the SCAN Listener redirects it too, and access/connectivity to that IP and TCP port.

             

            So the issue is not as much resolving the SCAN hostname. The client could just as well use the dotted IP address instead of the SCAN hostname.

             

            The issue is the client receiving a cluster node hostname from the SCAN Listener - and being able to resolve that to an IP, and being able to reach that IP.

            • 3. Re: scan access from external networks
              Jyoti Verma -Oracle

              If you can reach from external network to your corporate network using VPN, then you should be able to make the connection using SCAN as well without any modification.

              • 4. Re: scan access from external networks
                Billy~Verreynne

                Unless there is a firewall or routing issue?

                 

                External connectivity (via VPN or DSL or whatever) can be subjected to a specific IP range (via DHCP), and this IP range can be subjected to its own set of firewalls and routing.

                 

                 

                @User511360-OC - you should make sure that your VPN client can both resolve the RAC's hostnames (VIP and static as both can be used for redirection in some cases), and that access to 1521/tcp works for these hostnames.

                 

                Use the ping command to test hostname resolution and basic connectivity (ICMP is typically not firewalled for this exact reason), and telnet to test access to port 1521 on that hostname.

                • 5. Re: scan access from external networks
                  User511360-OC

                  Thank you for replies. I did some experiments, assuming I'm client from external network and couldn't change any network settings on client's side.

                  A. using tnsnames.ora with vip addresses, so:

                  (ADDRESS= (PROTOCOL = TCP)(HOST = node1-vip-ip-address)(PORT = 1521))

                  (ADDRESS= (PROTOCOL = TCP)(HOST = node2-vip-ip-address)(PORT = 1521))

                   

                  And it's working OK


                  B. using tnsnames.ora with scan ip addresses, so:

                  (ADDRESS= (PROTOCOL = TCP)(HOST = scan1-ip-address)(PORT = 1521))

                  (ADDRESS= (PROTOCOL = TCP)(HOST = scan2-ip-address)(PORT = 1521))

                  (ADDRESS= (PROTOCOL = TCP)(HOST = scan3-ip-address)(PORT = 1521))


                  And it's working OK too. VIP addresses is that case don't need to be resolved, probably because local_listener parameter looks like this:

                  sql>show parameter local_listener

                   

                  VALUE

                  ------------------------------

                  (ADDRESS=(PROTOCOL=TCP)(HOST= 1.2.3.4)(PORT=1521))


                  So, is it OK and what addresses is better to use ?

                  • 6. Re: scan access from external networks
                    Billy~Verreynne

                    SCAN address is preferred.

                     

                    The SCAN listeners know about all the listener services available on the cluster. A local node listener does not.